Getting Data In

Splunk Universal Forwarder and Two Destinations

nikhilmehra79
Path Finder

Hi,

I have a Splunk forwarder sending data to my prod box and i see a need to build a new dev server for testing/researching, i have a quick question,

My output.conf on Universal Forwarder looks like:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 198.11.16.1:9997

[tcpout-server://198.11.16.1:9997]

Which has Ip of my first Splunk Server, can i add another Server here and if yes how will it look ?

Is this the only file i need to edit and restart splunk forwarder to be done?

Tags (1)
0 Karma

ian_thompson1
Engager

Nikhil,

What you are attempting to do is called "Data Cloning". For this type of situation you will need 2 target groups, and then specify each indexer in that target group. Look at Data Cloning in the Documentation here.

Also, while nice I would actually rename the target groups to your liking. Such as,

[tcpout]
defaultGroup = productionSplunk, developmentSplunk

[tcpout:productionSplunk]
server = 198.11.16.1:9997

[tcpout:developmentSplunk]
server = 198.11.16.X:9997

As always, tcpout-server is optional. Read the documentation link for more information.

nikhilmehra79
Path Finder

I tried this but it stopped prod stream too...
any error you see or do i need to do anything on indexer too...?

[tcpout]
defaultGroup = productionSplunk, developmentSplunk

[tcpout:productionSplunk]
server = 198.11.16.1:9997

[tcpout:developmentSplunk]
server = 198.11.16.2:9997

0 Karma

nikhilmehra79
Path Finder

another quickie....[tcpout] is the [] refers to comment...

0 Karma

ian_thompson1
Engager

Because the name is arbitrary to begin with it should be trivial to make the change.

As far as licensing is concerned data cloning is usually covered under an HA license. I have asked a few Splunkers about dev/test and don't have an answer for you. Probably best to contact your Sales rep or Splunk Certified Partner to shore that up.

0 Karma

nikhilmehra79
Path Finder

Thanks make sense, if i rename defaultGroup = productionSplunk, to defaultGroup = productionSplunk. it should no have any effect on already live production instance right? and also do we use two time the licenses if we use data cloning (as these are sepearet instances) and i dont want a dev server to be part of production cluster.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...